A Holistic View: Internal MFT in the Financial Services Industry

John Wilson, Director of Solution Enablement – FSI, Axway

“When you think of setting up an SLA, and that causes you to cringe, that’s going to be a good indication that there’s areas for improvement. If you still have the memory of looking through all those audit logs for that lost file or trying to back out a duplicate file that was loaded…(if) those are still fresh in your mind, then these also may be good indicators as well. It’s a super competitive market. Any black mark to your reputation can cause devastation. Causes undue expenses, lost revenue, and even loss of customers.”

The Infrastructure Does Not Understand the Data Itself

Taher Elgamal, CSO, Axway

“All companies today get to deal with information that somebody else owns, and that’s a very interesting thing. If I’m processing the information on behalf of someone, that  information can have a lot of confidential…things, can have a lot of privacy issues for individuals, and so on and so forth. It turns out that it’s really, really difficult to understand data as a piece of the infrastructure. You have to do a lot of work. Effectively, a lot of the data leakage protection products actually ended up doing that.  …if you try to fast forward several years from now, I think these technologies will end up being part of an audit, not part of the operational management of the network or the security of the network or the security of the applications or any of that. And I think that at some point the applications that manage data will end up taking a lot of the interesting technologies that you can use to understand what the data is about, understand what to do with the data, understand how to impose policies and enforce things and understand who’s allowed to do what with the data versus who’s not.”

From Survival to Revival: The Evolution of Financial Services Delivery Platforms

John Applegate, Director, Financial Services Solutions, Axway

Exchanging Information Safely and Securely within Your Ecosystem

Exchanging Information Safely and Securely within Your Ecosystem

Embedding DLP Tools in Applications Will Bring Better Results

Taher Elgamal, CSO, Axway

Don’t Ignore the “Paranoid” Security Guy, Part 2

by Taher Elgamal
Chief Security Officer

(To read Part 1, click here.)

This is going to continue to be an arms race for a long time.

I don’t think society will actually change. People in important positions don’t even listen to financial experts, let alone IT security experts. And I’m willing to bet money that there is another financial problem that somebody has warned us about, and that nobody is paying attention to, because of the cost. People are hesitant to take action with anything that involves cost. I’m not saying you should spend money on a whim. But there are certainly a collection of experts in every single one of these technical fields that can make a judgment call as to how much risk a system is willing to take and when we must draw the line. And right now, we’re drawing the line so far out that a lot of criminals can gain a great deal of unauthorized access, and the level of fraud online carried out today is indicative of this.

The real issue is a fundamental lack of imagination on the part of the decision makers and CEOs. “Why am I going to spend all this money?” the CEO asks. The CEO waits until a regulation comes up. When the government actually speaks up and sticks a regulation to a certain type of company for something, the CEO puts forth the effort to get there. The problem with mere regulation—and this is how the entire system works—is that it doesn’t solve the real problem. It just makes people compliant. It does not make sure that the wrong people don’t gain unauthorized access, it just makes sure that the right people are acting just a little bit more safely. It’s true, I’ll admit, it is a little bit better to be compliant with all these regulations. But it does not address the real issue.

Finally, consider this:

If the concern over cyber issues is now an integral part of business, if it’s no longer a back office thing, if it’s now front and center, in the middle of everything, then cybersecurity people should be involved in the decision-making process, not just dismissed as back-office techies. That implies more training for the cybersecurity people to both be able to evaluate risk and to understand the particular business needs that the enterprise faces. Are you ready for that?

Don’t Ignore the “Paranoid” Security Guy, Part 1

by Taher Elgamal
Chief Security Officer

Michael Fitzgerald’s excellent piece for CSOOnline.com, “Organized Cybercrime Revealed,” continues to be pointed to on Twitter more than a month after its publication.

And rightly so. It’s a nice article, full of excellent details and compelling information.

But the thing that puzzles me always about an article like this is why it discusses, as news, something that is completely expected. If you put money in front of a criminal, what do you think they’re going to do with it? We’ve continued to blame criminals for criminal acts, which makes no sense: it’s what they do! When society provides opportunities for criminals to act like criminals, it’s society who is truly at fault.

If you would’ve asked anyone in the security/technical community—any reasonable CSO—at any time in the last fifteen years, “How will the profile of a hacker shift in the future?”, they would’ve told you that the smart hacker who wants to be famous by writing cute little viruses will be replaced by an actual criminal committing an actual crime, because things online aren’t secured very well. Sure, we have some controls and technologies deployed, but there has not been enough support to deploy even simple authentication technologies, and the absence of these technologies gives modern hackers gumption. The entire Web runs on passwords, and these passwords are very easy to guess. And that this is still the paradigm reflects a fundamental ignorance on the part of business people and governments. People who implement systems and run corporations—they don’t want to listen to security guys because security guys are, in their opinion, flat-out paranoid. Why would you want to listen to a paranoid guy tell you that there is a possibility that at some point in the future something bad will happen? But despite the fact that so many bad things are happening, and this “just ignore the paranoid security guy” attitude led to these bad things, we still think this way.

In the second part of this blog entry, I’ll speculate on where this is all going.